You’ll have seen the fallout this week regarding a so-called “spearphishing” attack on the Reserve Bank of Australia (RBA) in 2011. As with most media reports on cyber-attacks, this one appears to have been overhyped. So what really happened?
The story – pertaining to attacks on November 16 and 17, 2011 – has gained a new lease of life following an article in the Financial Review earlier this week regarding documents released under Freedom of Information in December 2012.
The bank’s computer networks had been “repeatedly and successfully” hacked, including by “Chinese-developed malicious software […] seeking intelligence on sensitive G20 negotiations” according to the article – and this line was regurgitated ad nauseam by media outlets worldwide.
In response, the RBA issued a statement on Monday, confirming – in broad terms – the media reports, while emphasising all was well:
The Bank has on occasion been the target of cyber attacks. The Bank has comprehensive security arrangements in place which have isolated these attacks and ensured that viruses have not been spread across the Bank’s network or systems. At no point have these attacks caused the Bank’s data or information to be lost or its systems to be corrupted.
So, uh, what’s spearphishing?
Spearphishing is a term used to describe a targeted form of phishing, which most of us have been targets of at one stage or another. We have all received emails purporting to be from our banks asking us to verify our account details and/or usernames and passwords.
Such emails are termed “phishing” because people are seeking to fish private information from us – the “ph” is taken from the more historical phreaking, whereby people subvert or hack into telephone networks.
Importantly with phishing, the aim is to prey on the weaknesses of human users, not the technological security of the networks.
Spearphishing – unlike phishing – is targeted at specific email addresses. By doing this, and using a carefully-worded email, an attack is both more likely to succeed (as its phishing nature is not obvious) and yield better results (the target is specific, not random).
In the RBA’s case, an email titled “Strategic Planning FY2012” was supposedly sent to a number of staff and was opened by six of them, potentially compromising their workstations. The phishing part of the attack was used only as a vector to install within the RBA network a trojan virus – an application or file people open believing it to contain useful information, that instead, or additionally, installs a virus
How did a trojan breach RBA security?
Rather than attaching the file to an email for virus scanners to check, the RBA’s attackers included a link to the file within the email; by clicking on this link, the file was downloaded from the internet directly rather than as an attachment.
The nature of the virus was such that the installed virus scanner software on the RBA’s PCs were unable to detect the virus. This may have been true even if the file were an attachment, but in this case the attachment would have been flagged and not sent on to the end users until security staff had a chance to examine it.
The security hole came down to the cleverness of the email. Not only was it addressed to a targeted group of people within the RBA, relating a topic that was relevant to them – the email purported to come from a senior staff member at the bank.
This last feature is not hard to achieve – it’s a simple task to make email appear to have been sent by somebody else.
It appears as though the RBA had good computer security procedures in place. As the staff affected did not have local administrator privileges on their computers, the damage could be limited.
Further, once the breach was detected, the affected devices were quarantined until the damage could be repaired. By the end of the day, updated virus scanners were deployed and the machines were cleaned and re-enabled for use.
Where are we now?
Most of this week’s media reports appear to be a storm in a teacup. The fact a public entity such as the RBA is a target of cyber attacks is not a surprise. Despite the RBA not holding money for their customers, a successful attack would cause much embarrassment and damage credibility.
Neither is the assertion, or implication, that the attackers may be foreign government agencies strange. These sorts of attacks happen all the time as a means to probe defences and procedures.
The fact the attack succeeded to a small degree is not cause for alarm, as one would expect public entities to have their digital networks attacked regularly and an occasional breach is bound to occur. What is important is how quickly the breach can be detected and how damaging it was.
In this case the breach was minor, detected and dealt with quickly, and no damage was done. If anything, this week’s media reports show the RBA has a mature and functioning approach to network security that shows every indication that it is functioning as it should.
Keep calm and carry on …